1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202309-09 ] Pacemaker: Multiple Vulnerabilitie

    From [email protected]@21:1/5 to All on Fri Sep 29 11:10:03 2023
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202309-09
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: Pacemaker: Multiple Vulnerabilities
    Date: September 29, 2023
    Bugs: #711674, #751430
    ID: 202309-09

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    Multiple vulnerabilities have been found in Pacemaker, the worst of
    which could result in root privilege escalation.

    Background
    ==========

    Pacemaker is an Open Source, High Availability resource manager suitable
    for both small and large clusters.

    Affected packages
    =================

    Package Vulnerable Unaffected
    --------------------- ------------ ------------
    sys-cluster/pacemaker < 2.0.5_rc2 >= 2.0.5_rc2

    Description
    ===========

    Multiple vulnerabilities have been discovered in Pacemaker. Please
    review the CVE identifiers referenced below for details.

    Impact
    ======

    Please review the referenced CVE identifiers for details.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Pacemaker users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-cluster/pacemaker-2.0.5_rc2"

    References
    ==========

    [ 1 ] CVE-2018-16877
    https://nvd.nist.gov/vuln/detail/CVE-2018-16877
    [ 2 ] CVE-2018-16878
    https://nvd.nist.gov/vuln/detail/CVE-2018-16878
    [ 3 ] CVE-2019-3885
    https://nvd.nist.gov/vuln/detail/CVE-2019-3885
    [ 4 ] CVE-2020-25654
    https://nvd.nist.gov/vuln/detail/CVE-2020-25654

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202309-09

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2023 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmUWko8ACgkQFMQkOaVy +9l/ehAAlKPdrURRoFNb0J+Nbw5FR0u3RkTL4q7P94MVzY3ShM4VWwUYPwUeINbT rhB0xe3CV9ayoYx0T4aREnsqn4erKmJiKzDl7n7dsvW9SobkWys0MsA0aqoUnZ0v gGmztvTDiXhS9ZuQYueTx4/AAHC6flRiD8n2XMhmV/EMNf9XASnwDllon4gZiRhL KjGUhMetxhlZUhj0uZXBd9fcnEqVvu9uNo0S9ZHrkqRXccgMNkZZ+0rwM1pbzB2e TSnlX21QhD1HS/VEl+/ORknq6rLaK3tmI/cGp/YCKrxPCuEsxtkJzLGUZQimnYkJ Y2OaEWRPXJRNxNp6xulSHvcatHjUZipPJTBaD6PdzJYGQyOeESgvAWW9RYvLD5gS W3wriFzdvhSccGFpz9PDuhFOjQzhEFkS2LVlyutplnFpgQsDXLIVVVAosQ2LPI+8 16+7I4aSj8IDlKTenHFEiBTBYLdQioM+kh2TdqsOm1M8fIOiTULpJMRYyN2P0FS0 J9mggMAZTZsR/n/ogyq1LDdOUe1cC2OpRMvlHrvUrc93LxSMuI08iEA04hdv7py6 5k2UAy9JxvBur24+kcpFmrChI/VGveJ4M4kXakHqf4lV7VbH1AktfAPPuCTEwni4 4sFt6aydZ99KfX+9/fBlvAGX3AnsPLkvEHn3hvpo4znbbrN4Ltw=
    =c/vr
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)